Newest RIG exploit kit driven by malicious advertising

Steve Ragan |
Aug. 4, 2015

Earlier this year, a disgruntled reseller leaked the source code for version 2.0 of the RIG exploit kit.

One of the victimized ad networks is buy-targeted-traffic.com, which enables customers to selectively target who their ads will be shown to, including browser type, geography, operating system type, and more. Since RIG only targets Internet Explorer users, this feature was perfect for the malvertising run, since it enabled victim screening.

For as little as 0.20 cents, a RIG customer can purchase 1,000 ad impressions on low-end websites, delivering steady traffic that runs under the radar.

"According to the referrers [registered by the kit], many large websites were abused by malvertising campaigns in order to redirect visitors to the RIG exploit kit, these include large news sites, investment consulting firms, IT solution provides, etc. all ranked in Alexa's top 3000," Levin explained in a blog post.

The larger websites were snared by the campaign despite having no direct relationship with the abused ad networks. This due to how advertisement bidding works, Levin said.

"When a large legitimate advertising network doesn't have a high-end advertisement to display, it turns to affiliates who offer ads for lower prices, in these low price ranges exploit kits such as RIG can find hits for fairly low prices."

Big fish in a big pond:

While watching the active campaigns on the RIG servers, the researchers noticed that just one customer accounted for more than 70 percent of the observed infections. This customer jumped to the top spot by delivering the Tofsee spam bot.

The variant of Tofsee used by the customer attempted to send 1 million emails a day from a single infected system, but only about 2,000 of them were actually sent. Crunching the numbers, Spider Labs researchers determined that the client was conservatively earning $60,000 to $100,000 USD per month.

"The average of 80,000 USD is not too shabby by all counts, right? That is, if you don't mind being a criminal," Levin said.

The continued existence of RIG and the popularity the exploit kit enjoys in the criminal marketplace proves that as long as there are willing customers, this turnkey business will continue to thrive.

"It seems that exploit kits, much like the mythological hydra, just keep coming back. Chopping off one head merely grows two new ones to replace it. They are growing more accurate, more sophisticated, and worst of all, more widespread," Levin concluded.